Malware Analysis Report (AR22-203A)

MAR-10386789-1.v1 – Log4Shell

Click to Tweet.
Click to send to Facebook.
Click to Share.
 
Malware Analysis Report
10386789.r1.v1
2022-07-26

Notification

This report is provided "as is" for informational purposes only. The Department of Homeland Security (DHS) does not provide any warranties of any kind regarding any information contained herein. The DHS does not endorse any commercial product or service referenced in this bulletin or otherwise.

This document is marked TLP:WHITE--Disclosure is not limited. Sources may use TLP:WHITE when information carries minimal or no foreseeable risk of misuse, in accordance with applicable rules and procedures for public release. Subject to standard copyright rules, TLP:WHITE information may be distributed without restriction. For more information on the Traffic Light Protocol (TLP), see http://www.cisa.gov/tlp.

Summary

Description

Since December 2021, multiple threat actor groups have exploited Log4Shell on unpatched, public-facing VMware Horizon and Unified Access Gateway (UAG) servers. From May through June 2022, CISA provided remote incident support at an organization where CISA observed suspected Log4Shell PowerShell downloads. During remote support, CISA confirmed the organization was compromised by malicious cyber actors who exploited Log4Shell in a VMware Horizon server that did not have patches or workarounds applied. CISA analyzed five malware samples obtained from the organization’s network: two malicious PowerShell files, two Extensible Markup Language (XML) files, and a 64-bit compiled Python Portable Executable (PE) file.

The two PowerShell files are Trojan downloaders designed to download malicious files from a command and control (C2) server and install them on the compromised system. One of the scripts also checks for and installs Nmap if it is not installed on the compromised system. The two XML files are for scheduling tasks for persistence. The 64-bit compiled Python PE file is designed to perform scans for IP addresses of live hosts, open ports, and services running on those hosts.

For more information on Log4Shell, see: 

For a downloadable copy of IOCs, see: MAR-10386789-1.v1.stix.

Submitted Files (5)

1d459b9909adf98690635c62ea005009ede8eb9a665b8703fe2ad0b0c414816b (this.ps1)

4cdd06a36858ac32a09606bfecb54b517ad41a6aac1e37ca56bb1c193f8174cf (RuntimeService.exe)

76a2979d965d42f99558ca6ecd97734697249667291a3013d611e310a03f550e (ps.ps1)

c357879e2c1013dcf999bcdc65372eacf0895af4a4b4bad2b7d28108d3e7c46a (this.xml)

e3d2e6b5cd422de1be7e6aa830b91115d204ba5e87c77b6431f3313e0930a697 (that.xml)

Additional Files (8)

3b4d726bd366e7439367fa78a186dfa9b641d3b2ad354fd915581b6567480f94 (nmap.exe)

407d60626707baee29fb9f2597dd32cfd544ff46df7f76e51ff0b79b3ffce3f2 (this.xml)

42c844c62ad1b7ae1925973a9b6845b40d4f626a4895cba9ae9e3e3de3f7973a (n.zip)

6408217e10fac9f6549ffaaab328bcfeed4a7ebea71f3dcf60f6186e1b21b501 (that.xml)

817046c4fe89cd44dbb613cdac2f0c165e2b47d2b5245911ca6fabdda89d1691 (this.ps1)

b050749c87399f9978cc6eaea7d25405fc0d099a14c169f5c5f63b8b6ec98b0f (RuntimeService.exe)

e6bc8aa44233312058704b4d5954c45b4160841f470dd7f6d13c08940e61a7bb (ps.ps1)

fb833ecd1b1050304f364f879b8b1f7b7136e9c4a21aaf0a6c6b3f419e892d6d (elasticsearch.nse)

IPs (1)

66.70.238.65

Findings

1d459b9909adf98690635c62ea005009ede8eb9a665b8703fe2ad0b0c414816b

Tags

downloaderloadertrojan

Details
Name this.ps1
Size 7962 bytes
Type ASCII text, with very long lines, with CRLF line terminators
MD5 8aedb094121903a3bfc3dade34f48126
SHA1 ed1aad906c2d63c8593708fb685655b891a02854
SHA256 1d459b9909adf98690635c62ea005009ede8eb9a665b8703fe2ad0b0c414816b
SHA512 2c09fb3defdd4810c89d3acaa57fdf3fd1ca9cffe6db43bab73bc629db817d273254be9c35d9cdb161cd0f9c35f5537efafe68bf83d7adb7d022600fd26e6e89
ssdeep 192:Ki17MYm59jl5VlxN17MYmoFW2SvjkrvVlxN17MYm7rY2E2/:KIwZ99wnZ2wbrY9W
Entropy 5.256359
Path C:\Users\Public\Downloads\this.ps1
Antivirus
ESET PowerShell/TrojanDownloader.Agent.EQN trojan
YARA Rules
  • rule CISA_10386789_01 : downloader
    {
       meta:
           Author = "CISA Code & Media Analysis"
           Incident = "10386789"
           Date = "2022-06-08"
           Last_Modfied = "20220613_1130"
           Actor = "n/a"
           Category = "Downloader"
           Family = "n/a"
           Description = "Detects PowerShell downloader samples"
           MD5_1 = "8aedb094121903a3bfc3dade34f48126"
           SHA256_1 = "1d459b9909adf98690635c62ea005009ede8eb9a665b8703fe2ad0b0c414816b"
           MD5_2 = "1940ddb77882162f898bc3aae9c67d94"
           SHA256_2 = "817046c4fe89cd44dbb613cdac2f0c165e2b47d2b5245911ca6fabdda89d1691"
           MD5_3 = "84aadb11699f0c3ed062f484aa0a622e"
           SHA256_3 = "e6bc8aa44233312058704b4d5954c45b4160841f470dd7f6d13c08940e61a7bb"
           MD5_4 = "a439e7a030d52c8d31bf2c140ccf216b"
           SHA256_4 = "76a2979d965d42f99558ca6ecd97734697249667291a3013d611e310a03f550e"
       strings:
           $s0 = { 44 6F 63 75 6D 65 6E 74 73 5C 70 73 2E 70 73 31 }
           $s1 = { 44 6F 77 6E 6C 6F 61 64 73 5C 65 6C 61 73 74 69 63 73 65 61 72 63 68 2E 6E 73 65 }
           $s2 = { 5C 55 6E 69 6E 73 74 61 6C 6C 5C 4E 70 63 61 70 49 6E 73 74 }
           $s3 = { 5C 55 6E 69 6E 73 74 61 6C 6C 5C 4E 6D 61 70 }
           $s4 = { 2F 44 65 6C 65 74 65 20 2F 74 6E 20 22 52 75 6E 74 69 6D 65 20 53 65 72 76 69 63 65 22 }
           $s5 = { 44 6F 77 6E 6C 6F 61 64 73 5C 6E 2E 7A 69 70 22 }
           $s6 = { 5C 4D 69 63 72 6F 73 6F 66 74 5C 57 69 6E 64 6F 77 73 5C 52 75 6E 74 69 6D 65 20 55 70 64 61 74 65 20 53 65 72 76 69 63 65 }
           $s7 = { 44 6F 77 6E 6C 6F 61 64 73 5C 6E 6D 61 70 2E 65 78 65 22 }
           $t8 = { 6D 61 74 63 68 20 22 73 79 73 74 65 6D 70 72 6F 66 69 6C 65 }
           $t9 = { 2D 6E 6F 74 6D 61 74 63 68 20 22 41 70 70 44 61 74 61 }
           $t10 = { 20 6B 69 6C 6C 20 2D 49 64 20 }
           $t11 = { 2F 52 75 6E 20 2F 74 6E 20 22 52 75 6E 74 69 6D 65 20 53 65 72 76 69 63 65 }
           $t12 = { 44 6F 77 6E 6C 6F 61 64 73 5C 74 68 69 73 2E 70 73 31 }
       condition:
           all of ($s*) or all of ($t*)
    }
ssdeep Matches

No matches found.

Relationships
1d459b9909... Contains 66.70.238.65
1d459b9909... Connected_To 66.70.238.65
1d459b9909... Downloaded e3d2e6b5cd422de1be7e6aa830b91115d204ba5e87c77b6431f3313e0930a697
1d459b9909... Downloaded c357879e2c1013dcf999bcdc65372eacf0895af4a4b4bad2b7d28108d3e7c46a
1d459b9909... Downloaded 4cdd06a36858ac32a09606bfecb54b517ad41a6aac1e37ca56bb1c193f8174cf
1d459b9909... Downloaded 42c844c62ad1b7ae1925973a9b6845b40d4f626a4895cba9ae9e3e3de3f7973a
1d459b9909... Downloaded 76a2979d965d42f99558ca6ecd97734697249667291a3013d611e310a03f550e
Description

This artifact is a malicious PowerShell script file downloaded and installed by "ps.ps1" (a439e7a030d52c8d31bf2c140ccf216b) . When executed, it stops and deletes the running scheduled tasks below if they exist on the compromised system:

--Begin task name--
"Runtime Service"
"\Microsoft\Windows\Runtime Update Service"
--End task name--

It downloads and installs a scheduled task XML file and a PowerShell file below if the file "C:\Program Files (x86)\Nmap\RuntimeService.exe" is installed on the compromised system:

--Begin files--
C:\Users\Public\Downloads\that.xml ==> "9bf865e73bb0bf021af2d4a2ce1abdfe"
C:\Users\Public\Documents\ps.ps1 ==> "a439e7a030d52c8d31bf2c140ccf216b"
--End files--

It creates a scheduled task named "\Microsoft\Windows\Runtime Update Service" from the task specified in the above XML file to execute the file "C:\Users\Public\Documents\ps.ps1" at a specified time of each day for persistence, and then exits it code execution.

Displayed below is the command used to install the scheduled task named "\Microsoft\Windows\Runtime Update Service":

--Begin scheduled task--
"schtasks.exe /Create /XML "C:\Users\Public\Downloads\that.xml" /tn "\Microsoft\Windows\Runtime Update Service"
--End scheduled task--

If not, it checks if the Nmap file path "C:\Program Files (x86)\Nmap" is installed on the victim's system. If the file path exists, it will search for the running process named "RuntimeService", which is the 64-bit Python compiled PE file. It will attempt to terminate and delete it from "C:\Program Files (x86)\Nmap\RuntimeService.exe" if the file is running. It downloads and installs a scheduled task XML file and the Python compiled PE file. It copies the PE file from "C:\Users\Public\Downloads\RuntimeService.exe" to the Nmap installed folder "C:\Program Files (x86)\Nmap\RuntimeService.exe".

Displayed below are the scheduled task XML file and PE file installed at runtime:

--Begin files--
C:\Users\Public\Downloads\this.xml ==> "e4ea99b9a35807bae6bc2885b220c498"
C:\Users\Public\Downloads\RuntimeService.exe ==> copied to C:\Program Files (x86)\Nmap\RuntimeService.exe. ==> "eda057d006561e28563813b2e81b9fd0"
--End files--

It creates a scheduled task named "Runtime Service" from the task specified in the above "this.xml" file on the victim's system to execute the PE file "C:\Program Files (x86)\Nmap\RuntimeService.exe" with predefined arguments in every system reboot for persistence.

Displayed below is the command used to install the scheduled task named "Runtime Service":

--Begin scheduled task--
"schtasks.exe /Create /XML "C:\Users\Public\Downloads\this.xml" /tn "Runtime Service"
--End scheduled task--

If the Nmap file path "C:\Program Files (x86)\Nmap" is not installed on the victim's system, it will download a zip file from its C2 server to "C:\Users\Public\Downloads\n.zip". The zip file contains the Nmap installer and the NSE file. It installs the Nmap installer on the compromised system with the command below:

--Begin command--
start "C:\Users\Public\Downloads\Nmap.exe" "/S"
--End command--

It will download the these files RuntimeService.exe, this.xml, that.xml, and ps.ps1 files from its C2 server into "C:\Users\Public\Downloads\".

It copies the NSE file from the current directory "C:\Users\Public\Downloads\elasticsearch.nse" to "C:\Program Files (x86)\Nmap\scripts\elasticsearch.nse", and the Python PE file "C:\Users\Public\Downloads\RuntimeService.exe" to "C:\Program Files (x86)\Nmap\RuntimeService.exe". It creates scheduled tasks named "Runtime Service" and "Runtime Update Service" from the task specified in the above XML files on the victim's system for persistence.

It deletes the command line for removing the Nmap application and the Nmap project's packet capture (Npcap) installed from the registry by changing the "UninstallString" registry value to a null string under the following registry keys:

--Begin registry entries--
"HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Uninstall\NpcapInst"
"UninstallString"="C:\Program Files\Npcap\uninstall.exe"

"HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Uninstall\Nmap"
"UninstallString" = "C:\Program Files (x86)\Nmap\uninstall.exe"
--End registry entries--

It deletes the files below from the victim's system:

--Begin files--
C:\Users\Public\Downloads\nmap.exe
C:\Users\Public\Downloads\elasticsearch.nse
C:\Users\Public\Downloads\n.zip
C:\Users\Public\Downloads\RuntimeService.exe
C:\Users\Public\Downloads\this.xml
C:\Users\Public\Downloads\that.xml"
--End files--

Displayed below are the list of Uniform Resource Identifiers (URIs) used to download the files above:

--Begin URIs--
http[:]//66[.]70[.]238[.]65/RuntimeService.exe
http[:]//66[.]70[.]238[.]65/this.xml
http[:]//66[.]70[.]238[.]65/that.xml
http[:]//66[.]70[.]238[.]65/ps.ps1
http[:]//66[.]70[.]238[.]65/n.zip
--End URIs--

Screenshots
Figure 1 - A snippet of the contents of the file "this.ps1".

Figure 1 - A snippet of the contents of the file "this.ps1".

76a2979d965d42f99558ca6ecd97734697249667291a3013d611e310a03f550e

Tags

downloaderloadertrojan

Details
Name ps.ps1
Size 5059 bytes
Type UTF-8 Unicode (with BOM) text, with very long lines, with CRLF line terminators
MD5 a439e7a030d52c8d31bf2c140ccf216b
SHA1 234634e2659cea2c34b522664ba5f2be33b9f7df
SHA256 76a2979d965d42f99558ca6ecd97734697249667291a3013d611e310a03f550e
SHA512 92bc008e549a0a47cfcd9cbc9f2692c822dc6a1410d20d31fb15e2bd788fccae30f1213cb103ccf3650fb03339c1ee8d5ed3f80f548933b209f1aaa4ea660e46
ssdeep 96:vVoVjizdtFKr5UY6YZTpcXLxunpt17zIZzYuWmZd/lxq4:vVeLd6YZTpcXLxE17MZ9/Zd9xq4
Entropy 5.197759
Path C:\Users\Public\Documents\ps.ps1
Antivirus
ESET PowerShell/TrojanDownloader.Agent.EQN trojan
YARA Rules
  • rule CISA_10386789_01 : downloader
    {
       meta:
           Author = "CISA Code & Media Analysis"
           Incident = "10386789"
           Date = "2022-06-08"
           Last_Modfied = "20220613_1130"
           Actor = "n/a"
           Category = "Downloader"
           Family = "n/a"
           Description = "Detects PowerShell downloader samples"
           MD5_1 = "8aedb094121903a3bfc3dade34f48126"
           SHA256_1 = "1d459b9909adf98690635c62ea005009ede8eb9a665b8703fe2ad0b0c414816b"
           MD5_2 = "1940ddb77882162f898bc3aae9c67d94"
           SHA256_2 = "817046c4fe89cd44dbb613cdac2f0c165e2b47d2b5245911ca6fabdda89d1691"
           MD5_3 = "84aadb11699f0c3ed062f484aa0a622e"
           SHA256_3 = "e6bc8aa44233312058704b4d5954c45b4160841f470dd7f6d13c08940e61a7bb"
           MD5_4 = "a439e7a030d52c8d31bf2c140ccf216b"
           SHA256_4 = "76a2979d965d42f99558ca6ecd97734697249667291a3013d611e310a03f550e"
       strings:
           $s0 = { 44 6F 63 75 6D 65 6E 74 73 5C 70 73 2E 70 73 31 }
           $s1 = { 44 6F 77 6E 6C 6F 61 64 73 5C 65 6C 61 73 74 69 63 73 65 61 72 63 68 2E 6E 73 65 }
           $s2 = { 5C 55 6E 69 6E 73 74 61 6C 6C 5C 4E 70 63 61 70 49 6E 73 74 }
           $s3 = { 5C 55 6E 69 6E 73 74 61 6C 6C 5C 4E 6D 61 70 }
           $s4 = { 2F 44 65 6C 65 74 65 20 2F 74 6E 20 22 52 75 6E 74 69 6D 65 20 53 65 72 76 69 63 65 22 }
           $s5 = { 44 6F 77 6E 6C 6F 61 64 73 5C 6E 2E 7A 69 70 22 }
           $s6 = { 5C 4D 69 63 72 6F 73 6F 66 74 5C 57 69 6E 64 6F 77 73 5C 52 75 6E 74 69 6D 65 20 55 70 64 61 74 65 20 53 65 72 76 69 63 65 }
           $s7 = { 44 6F 77 6E 6C 6F 61 64 73 5C 6E 6D 61 70 2E 65 78 65 22 }
           $t8 = { 6D 61 74 63 68 20 22 73 79 73 74 65 6D 70 72 6F 66 69 6C 65 }
           $t9 = { 2D 6E 6F 74 6D 61 74 63 68 20 22 41 70 70 44 61 74 61 }
           $t10 = { 20 6B 69 6C 6C 20 2D 49 64 20 }
           $t11 = { 2F 52 75 6E 20 2F 74 6E 20 22 52 75 6E 74 69 6D 65 20 53 65 72 76 69 63 65 }
           $t12 = { 44 6F 77 6E 6C 6F 61 64 73 5C 74 68 69 73 2E 70 73 31 }
       condition:
           all of ($s*) or all of ($t*)
    }
ssdeep Matches

No matches found.

Relationships
76a2979d96... Downloaded_By 1d459b9909adf98690635c62ea005009ede8eb9a665b8703fe2ad0b0c414816b
76a2979d96... Downloaded 4cdd06a36858ac32a09606bfecb54b517ad41a6aac1e37ca56bb1c193f8174cf
76a2979d96... Connected_To 66.70.238.65
76a2979d96... Downloaded e3d2e6b5cd422de1be7e6aa830b91115d204ba5e87c77b6431f3313e0930a697
76a2979d96... Downloaded c357879e2c1013dcf999bcdc65372eacf0895af4a4b4bad2b7d28108d3e7c46a
76a2979d96... Contains 66.70.238.65
Description

This artifact is a malicious PowerShell script file downloaded and installed by "this.ps1" (8aedb094121903a3bfc3dade34f48126) and "ps.ps1" (a439e7a030d52c8d31bf2c140ccf216b). This file and "84aadb11699f0c3ed062f484aa0a622e" have similar code functions. When executed, it checks and stops any process running from the specified paths:

--Begin file paths--
C:\Windows\Temp
C:\Windows\System32\config\systemprofile
--End file paths--

If not, it checks if the scheduled task named "Runtime Service" is installed on the victim's system. If not, it downloads and installs the XML scheduled task file "C:\Users\Public\Downloads\this.xml" (e4ea99b9a35807bae6bc2885b220c498) and creates a scheduled task named "Runtime Service" from the task specified in the XML file on the victim's system. This task is designed to run the file "C:\Program Files (x86)\Nmap\RuntimeService.exe" with predefined arguments in every system reboot.

It checks if the scheduled task named "\Microsoft\Windows\Runtime Update Service" is installed on the victim's system. If not, it downloads and installs the XML scheduled task file "C:\Users\Public\Downloads\that.xml" (9bf865e73bb0bf021af2d4a2ce1abdfe) and creates a scheduled task named "\Microsoft\Windows\Runtime Update Service" from the task specified in the XML file on the victim's system. This task is designed to run the PowerShell script file from "C:\Users\Public\Documents\ps.ps1" in a specified date and time.

It checks if the Nmap file path "C:\Program Files (x86)\Nmap" is installed on the victim's system. If the file path is not installed, it downloads a PowerShell file from its C2 server to "C:\Users\Public\Downloads\this.ps1" (8aedb094121903a3bfc3dade34f48126) before executing it using the command below:

--Begin command--
"Powershell.exe -ExecutionPolicy UnRestricted -File "C:\Users\Public\Downloads\this.ps1"
--End command--

If the Nmap file path is installed, it checks if the PE file "C:\Program Files (x86)\Nmap\RuntimeService.exe" (eda057d006561e28563813b2e81b9fd0) is also installed on the victim's system. If the PE file is not installed, it downloads and installs the PE file into "C:\Users\Public\Downloads\RuntimeService.exe" (eda057d006561e28563813b2e81b9fd0) if the PE file is not installed on the victim's system. It copies the PE file from "C:\Users\Public\Downloads\RuntimeService.exe" to the Nmap file path "C:\Program Files (x86)\Nmap\RuntimeService.exe". It enables and runs the scheduled task named "Runtime Service" to execute the PE file "C:\Program Files (x86)\Nmap\RuntimeService.exe".

If the PE file is installed, it will attempt to retrieve and verify the last write time of the file with the date and time: "Sunday, April 24, 2022 11:31:45 AM" retrieved from the C2 server using the hard-coded URI:"http[:]//66[.]70[.]238[.]65/txt.txt".

Analysis indicates that if the last write time of the file is less than the date and time retrieved from the C2 server, it will search for the running process named "RuntimeService" and attempt to terminate and delete it from "C:\Program Files (x86)\Nmap\RuntimeService.exe" if the file is running on the victim's system. It downloads and installs the PE file into "C:\Users\Public\Downloads\RuntimeService.exe". It copies the PE file from "C:\Users\Public\Downloads\RuntimeService.exe" to the Nmap file path "C:\Program Files (x86)\Nmap\RuntimeService.exe". It enables and runs the scheduled task named "Runtime Service" to execute the PE file "C:\Program Files (x86)\Nmap\RuntimeService.exe".

It is designed to delete the other files below before existing its code execution:

--Begin deleted files--
"C:\Users\Public\Downloads\RuntimeService.exe"
"C:\Users\Public\Downloads\this.xml"
"C:\Users\Public\Downloads\that.xml"
"C:\Users\Public\Downloads\this.ps1"
--End deleted files--

Displayed below are the URIs used to download the files above:

--Begin URIs--
http[:]//66[.]70[.]238[.]65/RuntimeService.exe
http[:]//66[.]70[.]238[.]65/this.xml
http[:]//66[.]70[.]238[.]65/that.xml
http[:]//66[.]70[.]238[.]65/this.ps1
--End URIs--

Screenshots
Figure 2 - A snippet of the contents of the PowerShell script file "ps.ps1".

Figure 2 - A snippet of the contents of the PowerShell script file "ps.ps1".

e3d2e6b5cd422de1be7e6aa830b91115d204ba5e87c77b6431f3313e0930a697

Details
Name that.xml
Size 3864 bytes
Type XML 1.0 document, Little-endian UTF-16 Unicode text, with CRLF line terminators
MD5 9bf865e73bb0bf021af2d4a2ce1abdfe
SHA1 e0a380e876177d3efed2f36194521d648b10880a
SHA256 e3d2e6b5cd422de1be7e6aa830b91115d204ba5e87c77b6431f3313e0930a697
SHA512 e63aa24f116befcff1df96bf98c0c921730d511f5dace18821a8f0a5c6889adeff1ad263843f2df3e22768f4d04226c3959b7fb31cea9bc65d3469b6b4d056af
ssdeep 48:yei1q97AONTUmZL1eD4idocMUF39Qg9c9V9Lvara+iniudupRCRf9ufAuRa7G5XJ:ts+4D4id6h4iGdinigV9ll7EHFnAB+
Entropy 3.570362
Path C:\Users\Public\Downloads\that.xml
Antivirus

No matches found.

YARA Rules

No matches found.

ssdeep Matches

No matches found.

Relationships
e3d2e6b5cd... Downloaded_By 1d459b9909adf98690635c62ea005009ede8eb9a665b8703fe2ad0b0c414816b
e3d2e6b5cd... Downloaded_By 76a2979d965d42f99558ca6ecd97734697249667291a3013d611e310a03f550e
e3d2e6b5cd... Downloaded_From 66.70.238.65
Description

This artifact is the scheduled task XML file downloaded and installed by "8aedb094121903a3bfc3dade34f48126" and "a439e7a030d52c8d31bf2c140ccf216b". It contains the task's properties, triggers, actions, conditions, and settings used to create a scheduled task named "\Microsoft\Windows\Runtime Update Service" for persistence. It is designed to execute the PowerShell script file from "C:\Users\Public\Documents\ps.ps1" in everyday from January 01, 2022. This file and "80343fb39fe8657f3f3904509b59d1d2" have similar code functions.

Screenshots
Figure 3 - A snippet of the contents of the XML file "that.xml".

Figure 3 - A snippet of the contents of the XML file "that.xml".

Figure 4 - The scheduled task named "Runtime Update Service" created from the tasks specified in the XML file "that.xml" to execute the file "C:\Users\Public\Documents\ps.ps1" at a specified time of each day for persistence.

Figure 4 - The scheduled task named "Runtime Update Service" created from the tasks specified in the XML file "that.xml" to execute the file "C:\Users\Public\Documents\ps.ps1" at a specified time of each day for persistence.

c357879e2c1013dcf999bcdc65372eacf0895af4a4b4bad2b7d28108d3e7c46a

Details
Name this.xml
Size 3570 bytes
Type XML 1.0 document, Little-endian UTF-16 Unicode text, with CRLF line terminators
MD5 e4ea99b9a35807bae6bc2885b220c498
SHA1 26cb85e6c339050b49f6854df338928e21b7c512
SHA256 c357879e2c1013dcf999bcdc65372eacf0895af4a4b4bad2b7d28108d3e7c46a
SHA512 621d4442c4fae8a7fcb47d53fdf38e2facfef833ec4d8fead4a88a113ebe0574674b06afb9496f4f31ad918864509df049008094b71b06e18307413276eeb79f
ssdeep 48:yeiqq97yNTFL1eb9c9V9LTra+iaiudupRCRfMufAuRa7G5X3l+3BNdHPsV8iDdvQ:cU4pwdiaigVMll7UY5HFQ+
Entropy 3.586698
Path C:\Users\Public\Downloads\this.xml
Antivirus

No matches found.

YARA Rules

No matches found.

ssdeep Matches

No matches found.

Relationships
c357879e2c... Downloaded_By 1d459b9909adf98690635c62ea005009ede8eb9a665b8703fe2ad0b0c414816b
c357879e2c... Used 66.70.238.65
c357879e2c... Downloaded_By 76a2979d965d42f99558ca6ecd97734697249667291a3013d611e310a03f550e
Description

This artifact is the scheduled task XML file downloaded and installed by "8aedb094121903a3bfc3dade34f48126" and "a439e7a030d52c8d31bf2c140ccf216b". This file and "d5e111c8cea4d2c8e8ae15a570ff8d3d" have similar code functions. It contains the task's properties, triggers, actions, conditions, and settings used to create a scheduled task named "Runtime Service" for persistence. It is designed to execute the Python compiled PE file from "C:\Program Files (x86)\Nmap\RuntimeService.exe" with the arguments below in every system reboot.

--Begin arguments--
[C2 server IP address] [Port number] [threads]
66[.]70[.]238[.]65 50106 250
--End arguments--

Screenshots
Figure 5 - A snippet of the contents of the XML file "this.xml".

Figure 5 - A snippet of the contents of the XML file "this.xml".